CLI WDAC Policy Creation From Suspicious Location

Rule Info

Name
CLI WDAC Policy Creation From Suspicious Location
Author
X__Junior
Description
Detects creation of Windows Defender Application Control (WDAC) from suspicious location
Reference
https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
Date
2025-02-07 00:00:00
Modified
None
Id
1f70d105-ab63-45a3-a94b-20eea08a7da7
Tags
attack.defense-evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022